I'm setting up an wireless AP with OpenWRT to support dynamic vlan's, provided by a RADIUS server.
I found a guide on OpenWRT.org which I followed, and with some extra research I'm almost there. The only thing not working is the dynamic vlan assignment. And I can't figure out why.
I'm running 15.05 chaos calmer on a TP-link Archer C7 in 'ap' mode. Firewall and DHCP are turned off, as they are provided by the network.
I can authenticate with the RADIUS server and login to both my internal and guest network if I manually bridge the SSID to the desired VLAN. Dynamic VLANs are not working though. FreeRadius is correctly transmitting the Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID; as checked with wireshark. I'm not sure, but I think it might have something to do with hostapd not getting the right settings.
Any help would be greatly appreciated
My /etc/config/wireless looks as follows:
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'WTD_Test_Rad'
option encryption 'wpa2'
option server '172.16.20.105'
option key 'RadiusSecret'
option dynamic_vlan '2'
option vlan_tagged_interface 'eth1'
option vlan_naming 0
option vlan_bridge 'br-vlan'
but I cannot find these vlan settings in the hostapd config file: /var/run/hostapd-phy1.conf
interface=wlan1
ctrl_interface=/var/run/hostapd
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
auth_server_addr=172.16.20.105
auth_server_port=1812
auth_server_shared_secret=RadiusSecret@WalkingTheDog
eapol_key_index_workaround=1
ieee8021x=1
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=WTD_Test_Rad
wpa_key_mgmt=WPA-EAP
okc=0
disable_pmksa_caching=1
bssid=60:e3:27:58:3a:8d
The hostapd -dd shows receiving the right AVP's but doesn't seem to care about any of it.
wlan1: RADIUS Received 195 bytes from RADIUS server
wlan1: RADIUS Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=79 length=195
Attribute 79 (EAP-Message) length=6
Value: 03f50004
Attribute 80 (Message-Authenticator) length=18
Value: d544a5f47ae84b9716fd76fb447a54e7
Attribute 1 (User-Name) length=10
Value: 'Mdirickx'
Attribute 64 (Tunnel-Type) length=6
Value: 0000000d
Attribute 65 (Tunnel-Medium-Type) length=6
Value: 00000006
Attribute 81 (Tunnel-Private-Group-Id) length=3
Value: 32
Attribute 1 (User-Name) length=10
Value: 'Mdirickx'
wlan1: STA 40:78:6a:53:eb:fb RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: old identity 'Mdirickx' updated with User-Name from Access-Accept 'Mdirickx'
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: decapsulated EAP packet (code=3 id=245 len=4) from RADIUS server: EAP Success
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: Sending EAP Packet (identifier 245)
wlan1: STA 40:78:6a:53:eb:fb WPA: sending 1/4 msg of 4-Way Handshake
wlan1: STA 40:78:6a:53:eb:fb WPA: received EAPOL-Key frame (2/4 Pairwise)
wlan1: STA 40:78:6a:53:eb:fb WPA: sending 3/4 msg of 4-Way Handshake
wlan1: STA 40:78:6a:53:eb:fb WPA: received EAPOL-Key frame (4/4 Pairwise)
wlan1: STA 40:78:6a:53:eb:fb WPA: pairwise key handshake completed (RSN)
wlan1: AP-STA-CONNECTED 40:78:6a:53:eb:fb
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: authorizing port
wlan1: STA 40:78:6a:53:eb:fb RADIUS: starting accounting session 56EC0FBB-00000004
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: authenticated - EAP type: 25 (PEAP)